HIPAA Compliance & SurveyMonkey
The Health Insurance Portability and Accountability Act of 1996 (HIPAA) is a United States law that regulates the collection and handling of “protected health information” (PHI). Certain organizations called “covered entities” and their business associates are required to comply with HIPAA.
For SurveyMonkey, being "HIPAA-compliant" means that we offer a service that enables covered entities to collect and manage PHI through surveys in a manner compliant with HIPAA. As part of offering this service, SurveyMonkey ensures that it operates in a way that is consistent and compatible with those laws and SurveyMonkey's role as a business associate to a covered entity user.
SurveyMonkey offers a standard form BAA which meets the requirements of HIPAA and lets covered entities enter into it within their SurveyMonkey account. When a covered entity accepts the BAA, the name and title of the individual signing on behalf of the entity is recorded, along with the date of acceptance. Upon acceptance of the BAA, an account will be converted into a HIPAA-enabled account. To receive a copy of your BAA, please contact us.
We acknowledge that some covered entities have certain items they need to include in BAAs with their business associates. Due to the fact that we offer HIPAA-enabled accounts at no additional cost, we do not negotiate customer form BAAs. However, we are open to negotiating our standard BAA for a fee. If you're interested in negotiating a custom BAA, fill out this form: Negotiate a Business Associate Agreement
As required by HIPAA, we implement administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of the electronic protected health information that we receive, maintain, and transmit on behalf of covered entities with respect to their HIPAA-enabled accounts. These safeguards include measures required by the Security Rule, such as:
- Regular risk assessments of systems to ensure that safeguards remain relevant and effective
- Assigned security team which is responsible for maintaining compliance with HIPAA’s security requirements
- Screening, authorization, and training of SurveyMonkey staff who come into contact with customer PHI
- Data backup plans
- Disaster recovery plans
- Systems regularly monitored, updated, and patched
- Incident response plan that includes reporting of security incidents to affected covered entities
- All communications with SurveyMonkey servers encrypted with SSL
For more information, see our Security Statement.
When you enable HIPAA-compliant features, the following features required by HIPAA are activated on your account. These features help covered entities to comply with their own HIPAA obligations:
- Security reminders: We remind users of their HIPAA obligations with in-product messages that appear whenever they perform certain sensitive operations on PHI (such as exporting survey data that could potentially be shared with third parties).
- Automatic logoff: We time out user sessions after 30 minutes of inactivity.
- BAA: View a copy of your BAA in your account at any time.
- Logging: We provide enhanced logging of account access activity and modifications to survey data. We log a variety of events relating to HIPAA-enabled accounts by timestamp, identity (IP Address and/or account username), and event type. Event types that we log include:
- Account login successes and failures
- Account manual logouts
- Account password reset requests
- Account username requests
- Collector deletions, openings and closings
- Survey response exports
- Survey response sharing and unsharing
- Survey response deletions
- API application authorizations and deauthorizations
- Transferring surveys to other accounts
- Whether the user or a SurveyMonkey admin performed the event
At the moment, we do not have a way by which you can access these logs through your online account. You may contact us to request logs.
Enabling HIPAA Features
You can enable HIPAA-compliant features on an individual PLATINUM plan or an ENTERPRISE team by entering into a BAA with SurveyMonkey.
The steps to enter into a BAA vary depending on your plan type. Please select the relevant section below for instructions:
To enter into a BAA with SurveyMonkey:
- In your your PLATINUM account, click your username in the upper-right corner.
- Choose My Account.
- In the HIPAA section at the bottom of the page, click Enter into a BAA.
- Review the BAA.
- Complete the form. Ensure that the BAA is only accepted by someone authorized to enter into a BAA from their organization. This may mean that the “Name” field in the BAA acceptance form may need to be the name of someone other than the account holder.
- Click Accept.
You can view your BAA at any time through the My Account page.
At this time you can't enable HIPAA-compliant features on a PLATINUM team within your account. Please contact us to discuss your options.
The Primary Admin of an ENTERPRISE team can enable HIPAA-compliant features for their team. All the accounts contained in the team will be HIPAA-enabled, meaning that all such accounts are permitted to collect PHI in their surveys.
There's no way to enable HIPAA-compliant features on only some individual accounts in a team. You can only enable HIPAA-compliant features on an entire team.
To enter into a BAA with SurveyMonkey:
- In your Primary Admin account, click your username in the upper-right corner.
- Choose My Team (or My Group).
- Under TEAM DETAILS, click Enter into a BAA.
- Review the BAA, complete the form, and click Accept.
All team members will be able to view a copy of that BAA through their account’s My Account page.
Review the common questions below to understand how downgrades work for HIPAA-enabled accounts.
No. Once you enable HIPAA-compliant features on your PLATINUM plan or ENTERPRISE team, it cannot be reverted back to a regular, non-HIPAA-enabled account.
If you want to remove HIPAA-compliant features from your account, or if you want a lower plan, you must open a new account. Note that you can transfer surveys from your HIPAA-enabled account to a regular account, but you must be very careful not to transfer any surveys that contain PHI (we do not permit users to store PHI in regular accounts, and regular accounts are not covered by a BAA).
If you decide you no longer need to use SurveyMonkey and do not renew your HIPAA-enabled account, your account will be placed into a suspended state. While suspended, SurveyMonkey will preserve all data contained the account and continue to treat it in accordance with the BAA. However, you will not be able to access your survey data or account directly (except for limited billing and account administration functions).
SurveyMonkey will retain a suspended account for the period of time stated in the BAA in order to provide you with an opportunity to unsuspend your account by renewing it. At the end of the suspension period, SurveyMonkey will close your account and delete all data in it.
While an account is suspended, you may also contact us to request an exported copy of all your survey data, or request to close your account immediately.
If you close your HIPAA-enabled account or team, the BAA will terminate.
If you terminate the BAA, then, subject to the terms of the BAA, your HIPAA-enabled account or team will be closed. Our standard BAA is written in a way as to always provide you with an opportunity to save a copy of your survey data before your account gets closed.
HIPAA Security Tips
Once you enable HIPAA-compliant features on your account or team, follow these best practices when performing certain actions to help ensure that you're handling your data responsibly and securely.
HIPAA Security Tips
|Exporting survey results||If you download survey results to your own computer, please ensure that those downloaded files are handled appropriately since they contain protected health information. We suggest that you secure those files by encrypting them and only transferring them under an encrypted connection.|
|Sharing surveys with collaborators||When you share a survey with others, the users with whom you decide to collaborate will have access to view and edit that survey, including any survey responses you've collected. Remember to use this feature in a manner consistent with your HIPAA obligations. Only collaborate with people who are authorized to work on that survey.|
|Transferring a survey to another account||If you must transfer a survey to a different SurveyMonkey account, ensure that you are absolutely certain that the receiving account is the one you intend to send it to. To transfer a survey, you must enter the exact username of that account. The transfer process cannot be undone without action by the receiving account holder.|
If your survey contains protected health information (PHI), it is your responsibility to ensure that such PHI is only disclosed to an appropriate recipient. This means that if you transfer PHI to another account, it is crucial that that account must also be HIPAA-enabled.
|Collecting responses||If you collect protected health information (PHI) in your survey, we recommend that you use a Web Link Collector. Additionally, if you’re gathering protected health information in your surveys or have a HIPAA-enabled account, you should always have SSL encryption turned on. SSL improves security by encrypting surveys and survey results.|
We do not recommend the use of an Email Invitation Collector. Email Invitation Collectors email survey invitations to recipients with a unique survey link tied to a recipient’s email address. If respondents are able to edit their responses, a recipient of an email invitation could complete all or part of a survey and forward their unique survey link to someone else. This would allow the second recipient to view the first recipient’s responses, which may contain PHI.
|Sharing survey results||Your survey results may contain protected health information, so remember to only share survey results in a manner consistent with your HIPAA obligations. Only disclose results to authorized recipients.|